Slashdot Mirror
DoCoMo Starts Cell Phone Smart Card Trial
virtualXTC writes "The Japanese phone company NTT DoCoMo and electronics giant Sony will begin a trial of cell phones with embedded smart cards with speed pass-like capabilities that will allow the user to purchase anything from travel passes to movie tickets just by placing their cell phone near an electronic reader. Potentially the smart card 'can serve as an ID card, travel pass, or login for a corporate computer network, all at the same time'. If they'd just attach a money clip to it, I could get rid of my wallet entirely."
Sure, electronic payment is convenient, but nothing says anonymous like cash.
While I love this idea in principle, I do have a few concerns before I welcome our new overlords.
What about standards? The article compares the smart chip technique to credit cards, but credit cards use a pseudo-standardized magnetic strip methodology. Are retailers to have 10 different receivers sitting at their POS terminals for 10 different cell phone/smart card providers? Along these lines - adopting early could be dangerous as one may invest in hardware that does not conform to the final standard and therefore be useless.
What about security? Until more information about how the protocol works, how security is maintained, and exactly how one can control what information is broadcasted is released, can we really trust this technology with our personal information? And this doesn't even begin to cover eavesdropping. (My tinfoil hat may be disrupting my thinking here)
When I hand my credit card to a clerk, I know exactly what information will be gleaned by the scanner from the magnetic strip. It doesn't change. What happens when I get a firmware upgrade on my phone? Can I trust that I am still secure from unauthorized access or even that my phone/ID/credit card gizmo is still only transmitting information that I approve?
One interesting alternative to this close-contact technology would be an internet-based alternative. In this scenario, my phone would use XML over SSL or some other standardized system to tell my provider to tell the POS that I am there and to relay what other information is necessary. Using this method, software-based upgrades could take care of standardization without any modification to hardware.
How many roads must a man walk down? 42.
serve as an ID card, travel pass
behold, they know your every move
#
#\ @ ? Colonize Mars
#
Guy 2: Sure, why not. My night minutes are free anyway.
Guy 1: *Swipe* Thanks.
Guy 2: Hey, did you just buy movie tickets?
Slashdotter are stupid and biased.
My wife loses/destroys cell phones like crazy. Much less her wallet... I would not like this one for her...
...remember good 'ol times when IP used to mean Internet Protocol....
Cellphone allows users to swipe and go
15:23 16 December 03
NewScientist.com news service
A trial starting on Wednesday will allow thousands of Japanese mobile phone owners to use their phones as a swipe card to pay for purchases, as travel passes, and as concert and movie tickets.
The trial is the first to embed smart cards within the phones, and has been set up by phone company NTT DoCoMo and electronics giant Sony.
Like other "contactless" smartcards, the user simply has to place their phone near a reader to exchange information. This does away with the need to have printed tickets or passes. So, for example, a cinema ticket could be bought using the phone's online features, with a swipe of the phone giving entry to the screening.
The convergence of these two technologies is attractive and technically quite straightforward, says Rob Bamforth, an analyst with Bloor Research in Bletchley, Buckinghamshire, UK.
"Mobile phone systems are already built to be secure and already have different payment models," he says, and most people now carry them in developed countries.
Multiple functions
The cards in the trial are capable of storing about two kilobytes of information, enough for it to perform multiple functions. For example it can serve as an ID card, travel pass, or login for a corporate computer network, all at the same time.
As people increase their use of phones for retail purposes, the role of the mobile phone operator may change, Bamforth told New Scientist. "It makes them more analogous to credit card companies."
The Japanese trial will run until summer 2004 and during this time thousands of specially adapted phones will be handed out to employees of the 25 companies that are participating in the scheme. Services will include being able to buy tickets and check-in at airports using their phone.
Swipe cards have long been used on public transport systems in Japan. The smartcard technology being used in the phones, called FeliCa, was originally developed by Sony in 1988.
But what sets the new trial apart from other smartcard systems and from previous electronic wallet schemes is the ability of the phone to store a receipt of a purchase on the smartcard chip within the phone.
Duncan Graham-Rowe
HOW'S MY POSTING? CALL 1-800-POSTING
This will be great for the phone sex hotlines.
Will make it easier for thieves to steal but limit and possibly track them as well. All the thief would have to do is walk up to the register and the victims card is charged. KA CHING It becomes a race, how long can the thief use it before it's discovered stolen and they have to leave it in the submway? Do the police keep the phone running and charges piling up but use the phone to trace the thief to his residence? Is the encryption used by the phone/wireless any better than the encryption used by standard wireless cards (ie how easy is it to sniff for credit card numbers).
The world of thievery just got more interesting
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
I am not sure if I want it suddenly to hold all of my cash as well. It holds all of my personal information, dates and phone numbers, and if someone was clever they could find out alot about my servers. So currently, I believe that I have too many eggs in one basket with the functions that it carries out now. To expand those to include purchasing seems to be inviting disaster.
What the hell do I do if I lose it?
who grabs your phone from using to purchase lots of things all on your dime until you can properly report it stolen (assuming you're not in a coma from the blows to your head)?
I'm going to print up a tshirt that says on the front back and sleeves
"By reading this shirt or walking within 3 feet of me, your obligated to play me 1 cent. I'll then just carry a small antenna that'll attempt to connect to the nearest smart card device and charge it 1 cent."
I know the figures in the high 80's for the number of people who now own cell phones. I can now quit my job and just walk around the mall collecting my "toll".
Yes Francis, the world has gone crazy.
As a retailer, I can say that there is no way I'd spend money accepting something like this. At least not for many, many years. Look at the current retail environment... it's being destroyed by people shopping online, cutting into margins. Most retailers STILL don't accept Amex (I do), even though accepting Amex takes a 5 minute telephone call, and $0 additional investment. Hell, it took the fast food chains many years to ever take credit cards. Considering how much $$ this is going to cost us as retailers, I can say that there's no way in hell I'd do this until it becomes very, very universal, and a large number of customers start asking for it (no, 1 or 2 geeks doesn't count as a large number of customers). Credit cards work just fine, anyway. This is another solution to a non-existent problem.
Nothing says 'anonymous' more than cash, and cash still goes places where American Express/Visa/whatever have not been, and probably never will be. Bills still talk a lot louder than plastics...
And it doesn't cost anything for the 'privlege' of spending your own damn money when you use cash...
Kinda tells you something, when the world of 'credit' is starting to favor people who the creditors know will default and be indentured for years upon years to come......
There's no wrong way, to eat a Rhesus...
On the upper west side of manhattan, they tried a "money on a card" program. Chase and Citibank. You could put it on an ATM card with a smartchip or, like I did, just ask for a card, give them cash which value they xfer'd to the card and leave. No names, no signing anything, etc.
It was a huge P.I.T.A. to use it, but I put that down to testing where clerical help are not necessarily the brightest sticks in the bundle :)
However I never renewed mainly because this was cash equivalent. Exactly. With no PIN on the card or ANY protection, you swipe my card, you have my cash and can use it. The minor addition of a PIN would have made the better than cash in that it's not a theft target.
A friend who did this on his ATM card played with it and said: "Oh wait, my ATM card now has value to a mugger? Great."
So in the end, its big feature was what a friend called: "Just like cash, only you can only use it in certain places and it's a pain in the ass." Pathetically, their only marketing point was "you don't have to dig for the right change anymore." (as using currency is really hard for people to handle after 3000 years.)
I'm going to presume that with DoCoMo, you have to AUTHENTICATE the transaction. That someone with a reader can't walk by you or sit in front of your seat and transact your money to them.
There is an opportunity to do it well: anonymously and correctly.
A GSM chip needn't be attached to a phone or an ID (so the guy whose wife kills phones would be fine - all european phones I've used are chipped.) Move the chip to another phone and it's "your phone" immediately.
Do that with a cash chip, and I can send money from one phone to another.
I can rePIN it and pass the chip to Mom and just tell her the (new) PIN.
I can do this all untracably, but verifiably. This isn't new. Electronics help, but it's been doable for quite some time. Again, David Chaum has done good writings on this topic.
Those features aren't so far fetched. In fact, why does any of that require "smartcards" in the phone? How about just the crypto features on an authentication vCard + credit card number, and a standard protocol over Bluetooth, IR, SMS, or 3G-HTTP? Scandanavians can buy snacks and pay parking meters with their phones, so why jump through a "smartcard" hoop just to get a talking wallet?
--
make install -not war
So let me get this straight:
I carry around an object that broadcasts what is functionally equivalent to my credit card info to any reader within close proximity?
And so the guys that usually pull credit card numbers out of the garbage, or from lost/stolen card, or from bank records, and make dummy cards that they use in stores* will now be able to set up a portable reader, put it in a pocket, and wander through a crowded subway car picking up credit card numbers without anyone noticing?
Why would anyone want this?
Oh, yeah. Because they want it to be more convenient to make purchases.
Sigh.
*this has happened to me THREE TIMES, including once by a ring of thieves that successfully used the dummy cards in three different airports in three different countries simultaneously, even as my bank's fraud department watched via computer with me on the other end)
So someone gets their hands on a reader for these devices. This can be done by borrowing/stealing a reader from a store that has one installed or by someone who works at the manufacturing plant. Setup a power source and stick it in a backpack. Run a cable down to the reader which could either be in the pack or, if small enough, palmed in your hand.
As you walk through the streets, wave your hand across the phones of people standing around or as they walk by you. A laptop or PDA could be hooked up to the read recording in all the information.
The protocol/encryption is taken care of by the stolen hardware. No need to worry about cracking it.
--
Now if this system is based upon it's own network, then the reader doesn't have to do any decryption of the data. It can just be forwarded down the line to the network's core. The readers essentially become dumb terminals.
But I doubt this is the case. Every smart-card reader system that has a core data store includes storage space in individal readers to store transactions in case the core goes down.
--
What this type of system REALLY needs, as do exsiting ones such as smart pass or that gas station token thing, is some sort of activation button that must be depressed in order for information to be transmitted from the card. This would make it much more secure.
This New Scientist article doesn't cover if such a function exists with these new phones but given past devices that we've seen, I doubt it.
Visiting this past summer I saw a similar system in South Korea. The receiver looks like a big black eyeball (think HAL-9000) with a bright blue LED on top. They have these things all over - fast food joints, small markets (think 7-11), and on buses. Just put your phone near it, hit a button, and the charge goes onto your cell phone bill.
Seems like it was getting well adopted. I googled for it, but I can't remember the name exactly.
Cell phones now debit cards in S. Korea
Infrared lifestyle: South Koreans pay using cellphones
No keypad tampering / double readers (one real, one scam / double swipes. Scan, enter pin and wait for confirmation. If it fails, just try resending the same confirmation. If it *was* high-jacked by a fake signal which you erroneously approved, you'd notice because the store would continue to refuse it.
Throw in a little failsafe, like "Warning: Remote fingerprint changed compared to previous session X seconds ago" and maybe ultimarely over GSM, like "Automatically contest this claim if someone tries this transaction, it was not completed successfully" to the bank.
I'd never accept confirmation-free, it could fire on anything from a brush-pass or the guy next to me on the bus/train/tram/subway. Even if it did work when the keypad was not locked, it'd take just as long to hit "Menu, *, "scan", menu, *" as it would take to do a 4-digit pin + "OK"...
Kjella
Live today, because you never know what tomorrow brings
I, for one, welcome our new, corporate overlords.
Seriously, how can this sound like a good idea?
-- atomly
Speedpass systems have a fixed ID. These will most likely read something from your SIM card to facilitate switching handsets, as many users do. With today's phone supporting SMS, GPRS, BlueTooth, etc, how long before someone finds a way to read your charging information from afar? 30' bluetooth range? Getting an SMS from Russia?
Before all that other tomfoolery. Look at your wallet: it has your ID cards, money, a Diners' Club credit card, and pictures of your family.
What the hell do you do if you lose it?
I believe the wallet is having too many eggs in one basket.. but people have been getting along with those fine for centuries. The simple solution is to not be a careless fop with things that are valuable to you.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The big question is will this save retailers money? The grand allure of "digital cash" is that you can do transactions and they won't cost $0.70 each and the credit companies won't get 3% of the transaction value from the merchant. They're more or less free!
In the world of commerce this is what counts. If it was just about "consumer convenience" we'd all just have credit cards and the credit companies would be dirty rich. Wait, that is how it is. Sickening.
Doesnt cost ME anything for using my credit card either, so long as I pay the balance by the due date. Granted the buisness that accepts my card pays a small % to the card company (and/or maybe a flat fee as well), I still pay nothing. I actually GET money for using the card too. There is a big misconception of people who never use a card and always hear about the horrors of credit card debt. You wont accumulate the debt unless you spend more than you can afford to pay off once the billing cycle ends. You also do not get charged anything if you dont carry a balance and your card has no anual fee, and dont use it to get cash advance via ATM, and dont go over your limit (if you do, you need to re-evaluate your finances). Just pay off the balance in full, not just minimum payment, and you pay only what you spent. If you shop around for a good card, you even get "rewards" for using the card instead of cash, like a % back, or points/miles towards purchases/plane tix. In the 8 years or so of using ccards for payment the only time I had to pay more than what I spent was for a laptop I let half the cost ride the card for an extra month as I couldnt pay in full on the due date.
Tm
Support TBI Research: http://www.raisinhope.org
No, you can use your cash card at multiple banks' machines. Japan may be backward in terms of ATMs only having hours of business from 8am to 7pm or so on average, or most refusing to accept foreign-issued credit cards, but for the major banks, all have usage agreements with one or more competitor.
The difference is that this smart card is off-line, an electronic wallet type idea, not an online transaction, so it has all the speed benefits associated with it. The main use, I suspect, is going to be for commuter passes and other pre-paid train cards (see the current FeLiCa/Suica/Icoca system in use by JR, for instance), so you don't want to have to wait for 1 minute while trying to dial up to confirm you are allowed to go through the ticket gate.
I find it amusing that so many features are being packed into mobile phones when, realistically, they are so easy to steal. Wallets are hard to steal because they are only taken out at the point of sale, but people are always waving their mobiles around and losing them. This to me seems like another case of packing more complexity into the telephone network while making sensitive data more available to thieves. My boss recently lost his phone (stolen) at an XMAS party of only employees and he has had a really hard time getting back his numbers for overseas business contacts. Don't get me wrong, I think this is a good idea on principal, but I think before further telephone application development is made, perhaps more effort should be made in integrating telephone retreival with local police authorities in locating stolen telephones... alternatively, like the kind folks at Miribalis eventually realised, that data be stored on the network rather than on the phones so the impact of having a stolen handset is not so devastating to consumers.